It is known in the art that each day, many tens of thousands of new malicious software programs are discovered. These programs can compromise the security of general computing devices. Possible security violations include, but are not limited to, the theft of data from the system, the usurping of the system for other nefarious purpose (like sending spam email), and, in general, the remote control of the system (by someone other than its owner) for other malicious actions.
One popular technique in the art for detecting malicious software comprises the following steps:                a. Establishing through some independent means that the application is malicious (e.g., by having a human being manually analyze it and pinpoint the presence of one or more malicious behaviors).        b. Computing a hash or fingerprint of this software. A hash is a mathematical transformation that takes the underlying binary contents of a software application and produces a relatively short string, with the idea being that two different applications will, with overwhelmingly high probability, have distinct fingerprint values. Common functions for performing this fingerprinting or hashing step include, but are not limited to, SHA-256, SHA-1, MD5, and others. Besides hash and fingerprint, another term used in the art to describe this transformation is a signature. For the purposes of this invention, the terms hash, fingerprint and signature will be used interchangeably. These terms are not synonymous with each other, but for the purposes of the invention described, the differences are immaterial.        c. Publishing this hash so that it is accessible to end-users operating a general purpose computing device (for example, the hash can be posted to a blacklist of known malicious applications).        d. Having the device compare this published fingerprint with the fingerprint of any new software applications that have arrived on the system.        e. Applying a set of steps based on a given policy if the fingerprints match (e.g., blocking the installation of the application).        
The technique just described suffers from the drawback that it only works when an application is determined to be malicious ahead of time. Put differently, it is a reactive approach. It is understood in the art that often times superficial changes to a malicious application will cause it to have a different fingerprint even though the underlying actions of the application continue to be malicious. In other words, the application will look ostensibly different from the outside, but underneath its operations will be identical (analogous to how a criminal can put on different disguises involving wigs and sunglasses, even though underneath it is the same person). If the file is modified, then the corresponding fingerprint might change. If the fingerprint changes, then it will no longer match the one that was initially established for the application, and consequently the application can potentially evade detection by any anti-malware technology that uses a reactive signature-based approach.
The recent explosion in malware instances appears to be a result of malware authors making frequent, but innocuous, changes to a smaller number of applications rather than creating entirely new applications. There is, accordingly, a need in the art to develop methods, components, and systems for proactively detecting malicious software in a way that addresses the above limitations. The present invention addresses these needs by using contextual information, such as the presence of other recent (malicious) activity on a system, to formulate a more accurate picture regarding whether or not a particular software application running on the system might be malicious.